Hero Framework version 3.791 contain 2 XSS vulnerabilities, which can be exploited to perform cross-site scripting attacks against vulnerable application.
Vulnerabilities exists due to insufficient sanitisations of user-supplied data in "username" HTTP GET parameter passed to "/users/login" and "error" HTTP GET parameter passed to "/users/forgot_password" URLs. A remote attacker can trick a logged-in user to open a specially crafted link and execute arbitrary HTML and script code in victim's browser in context of the vulnerable website.
Solution: upgrade to Hero Framework version 3.80.
Source: High-Tech Bridge Advisory HTB23149 - Multiple XSS in Hero Framework.
No comments:
Post a Comment